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(54) Abstract Title 

Web server apparatus for virus chocking 

(57) A web server computer system 100 includes a virus 
checker 125 and mechanisms for checking e-mails and 
their attachments, downloaded files, and web sites for 
possible viruses. When an e-mail message contains a 
detected virus, the message is discarded, and both the 
sender and recipient are informed via e-mail that the 
message contained a virus. When an e-mail attachment 
contains a detected virus, the attachment is deleted, and 
the e-mail message wtehout the attachment is sent to the 
web client, along with a message explaining that the 
e-mail message had an attachment that was automatically 
deleted because it had a virus. When a downloaded file 
contains a virus, the downloaded file is deleted, and an 
error message is sent to the web client to inform the web 
client that the requested file had a virus. When a requested 
web site (i.e., Uniform Resource Locator (or URL)) has 
been labelled as a source for a known virus, a message is 
sent to the web client stating that a virus may have been 
downloaded from that URL. In addition, if the requested 
URL has not been labelled as a source for a known virus, 
but it contains links that have been so labelled, the web 
page is processed before being sent to the user to identify 
those potentially dangerous links. In this manner a web 
server can perform virus checking of different types of 
information real-time as the information is requested by a 
web client. 
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MSB 8KKVXK APPARATUS FOR VTR0S CHECKING 
Pield of thm Invention 

This invention generally relates to web pages and more specifically 
relates to a web server apparatus that provides information to web clients. 

Background of the Invention 

Since the dawn of the computer age, computer systems have evolved 
into extremely sophisticated devices, and computer systems may be found in 
many different settings. The widespread proliferation of computers 
prompted the development of computer networks that allow computers to 
communicate with each other . With the introduction of the personal 
computer (PC), computing became accessible to large numbers of people. 
Networks for personal computers were developed that allow individual users 
to communicate with each other. 

One significant computer network that has recently become very 
popular is the Internet. The Internet grew out of this proliferation of 
computers and networks, and has evolved into a sophisticated worldwide 
network of computer system resources commonly known as the 
w world-wide-web- , or WWW. A user at an individual PC or workstation 
(referred to as a *web client") that wishes to access the Internet 
typically does so using a software application known as a web browser. A 
web browser makes a connection via the Internet to other computers known as 
web servers, and receives information from the web servers that is rendered 
to the web client. One type of information transmitted from a web server 
to a web client is known as a *web page*, which is generally formatted 
using a specialized language called Hypertext Markup Language (HTML). 
Another type of information transmitted from a web server to a web client 
is e-mail messages and any files or other information attached to those 
messages. Yet another type of information transmitted from a web server to 
a web client is files that may be downloaded from a web site. 

An example of a typical Internet connection is shown by the apparatus 
200 in FIG. 2. A user that wishes to access information on the Internet 
170 typically has a computer workstation referred to as a *web client* 
(such as web client 210B) that executes an application program known as a 
web browser 230. A web client, represented by 210A, 210B, and 210C in 
PI0S. 2 and 3, is reff erred to herein as a web client 210. Under the 
control of web browser 230, web client workstation 210 sends a request for 
a web page over the Internet 170. Web page data can be in the form of 
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Computer viruses have emerged as a very real threat to data in 
today's computer systems. Recently, the *I Love You*' virus infected 
computer systems all over the world, and destroyed vast amounts of data, 
particularly image files. Virus checking application programs are 
currently w^i^§^^^^-4^0l^^^i^»w on individual computers. Norton 
Antivirus and two examples of commercially-available 

virus checkers. Known virus checkers run on a single computer system, such 
as a web server or a web client. These virus checkers typically are run at 
the user's request to determine whether there are any viruses on any 
specified drive or file. In addition, some virus checkers can be 
configured to automatically check incoming data in a downloaded file before 
allowing the file to be stored on the computer system. For example, Norton 
Antivirus allows a user to select an option that checks all downloaded 
files before passing them on to the user's computer system. However, all 
of the known virus checkers operate on one particular computer system, and 
there is currently no way for a virus checker on one system to check for 
viruses on a different computer system. 

As a result, the current methods for virus checking allow viruses to 
spread to web clients and cause considerable damage before being 
controlled. 

Dxscxiosona of invkmtion 

According to the present invention, there is provided a web server 
computer apparatus comprising: (a) at least one processor; (b) a memory 
coupled to the at least one processor; (c) a virus checker application 
residing in the memory; and (d) a virus control mechanism residing in the 
memory and executed by the at least one processor, the virus control 
mechanism comprising: means, responsive to a request for information from a 
web client, for invoking the virus checker application to check the 
requested information for a virus and, if the requested information 
contains a virus, notifying the web client that the requested information 
contains a virus. 

Preferably, the web server computer apparatus includes a virus 
checker and mechanisms for checking e-mails and their attachments, 
downloaded files, and web sites, for possible viruses. 

For example, in one embodiment, when an e-mail message contains a 
detected virus, the message is discarded, and both the sender and recipient 
are informed via e-mail that the message contained a virus. When an e-mail 
attachment contains a detected virus, the attachment is deleted, and the 
e-mail message without the attachment is sent to the web client, along with 
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BRUT DESCRIPTION OF DRAWINGS 

The preferred embodiment of the present invention will hereinafter be 
described, by way of example only, in conjunction with the appended 
drawings, where like designations denote like elements, in which: 

FIG . 1 is a block diagram of an apparatus in accordance with the 
preferred embodiment; 

FIG. 2 is a block diagram of a prior art apparatus for accessing 
information on a web server by one or more web clients; 

FIG. 3 is a block diagram of an apparatus in accordance with the 
preferred embodiment; 

FIG. 4 is a flow diagram of a method for a web server to scan 
requested information for a virus before serving that information to a web 
client in accordance with the preferred embodiment; 

FIG. 5 is a block diagram of the user list of FIGS. 1 and 3; 

FIG. 6 is a diagram of a display window for a user to define virus 
checking preferences for the web server in FIGS. 1 and 3; 

FIG. 7 is a flow diagram of a method performed by the e-mail virus 
processing mechanism 134 in FIGS. 1 and 3 in accordance with the preferred 
embodiment; 

FIG. 8 is a flow diagram of a method performed by the file virus 
processing mechanism 136 in FIGS . 1 and 3 in accordance with the preferred 
embodiment ; 

FIG. 9 is a flow diagram of a method performed by the web page virus 
processing mechanism 132 in FIGS. 1 and 3 in accordance with the preferred 
embodiment; 

FIG. 10 is a flow diagram of a method for performing a virus check on 
a web client at the request of a user in accordance with the preferred 
embodiment ; 

FIG. 11 is a diagram of a display window that may be displayed to a 

user to define a virus that is no.t recognised by the virus checker or t£e 
virus information database; and 



FIG . 12 is a flow diagram of a method performed by the we* server in 
accordance with the preferred embodiments. 
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155. Therefore, while the items 121-128 and 131- 138 are shown to reside 
in main memory 120, those skilled in the art will recognize that these 
items are not necessarily all completely contained in main memory 120 at 
the same time* It should also be noted that the term "memory" is used 
herein to generically refer to the entire virtual memory of computer system 
100. 

Data 121 represents any data that serves aa input to or output from 
any program in computer system 100. Operating system 122 is a multitasking 
operating system known in the industry as OS/400; however, those skilled in 
the art will appreciate that the present invention is not limited to any 
one operating system. Web server application 123 is a computer program 
that monitors requests for information, and services requests for which it 
has responsibility. In other words, when a web client requests a web page 

that is stored on a hard disk drive (e.g., 155) on web server 100, the web 

» 

server application 123 delivers the requested web page to the requesting 
web client. The e-mail server application 124 is a computer program that 
sends and receives e-mail messages and their attachments. When a web 
client that is a registered user of the e-mail server application 124 wants 
to send an e-mail message, the message is sent from the web browser to the 
web server that contains the e-mail server application 124, which then 
sends the message on towards its intended recipient. 

Virus checker application 125 is a computer program that detects the 
presence of viruses that are defined in its virus definitions 126. Note 
that virus definitions 126 may include specific viruses, as well as 
particular activity (such as writing to the boot record of a hard disk 
drive) that may signal a virus. Virus checker application 125 is similar 
to the known virus checkers that are commercially available today. Note, 
however, that virus checker application 125 must be able to run in a 
command mode rather than using a graphical user interface that requires 
user input, because the web server application 123, e-mail server 
application 124, and virus control mechanism 131 need to be able to 
initiate a virus scan using virus checker application 125 and receive 
results of the virus check without user intervention. 

The user list 127 is a list of users that are registered to use the 
virus control mechanism 131. The user list 127 includes a list of users, 
and their corresponding virus checking preferences 128 that determine how 
the web server application 123, e-mail server application 124, and/or virus 
control mechanism 131 screen incoming information for viruses. 

Virus control mechanism 131 includes the web page virus processing 
mechanism 132, e-mail virus processing mechanism 134, and file virus 
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Each of the web page virus processing mechanism 132, the e-mail virus 
processing mechanism 134, and the file virus processing mechanism 136 
preferably operate according to the user virus checking preferences 128. 
If the user so desires, any or all of these mechanisms may automatically 
check for viruses without user intervention, making these virus checks 
nearly transparent to the user. If no viruses are detected, the only 
indication to the user of the automatic virus checking that is occurring 
may be a slightly longer time to receive the requested information. Of 
course, if a virus is detected, the user will be provided with notification 
of the virus and may be presented with options for dealing with the virus. 

Processor 110 may be constructed from one or more microprocessors 
and/or integrated circuits. Processor 110 executes program instructions 
stored in main memory 120. Main memory 120 stores programs and data that 
processor 110 may access. When computer system 100 starts up, processor 
110 initially executes the program instructions that make up operating 
system 122. Operating system 122 is a sophisticated program that manages 
the resources of computer system 100. Some of these resources are 
processor 110, main memory 120, mass storage interface 130, display 
interface 140, network interface 150, and system bus 160. 

Although computer system 100 is shown to contain only a single 
processor and a single system bus, those skilled in the art will appreciate 
that the present invention may be practised using a computer system that 
has multiple processors and/or multiple buses. In addition, the interfaces 
that are used in the preferred embodiment each include separate, fully 
programmed microprocessors that are used to off-load compute -intensive 
processing from processor 110. However, those skilled in the art will 
appreciate that the present invention applies equally to computer systems 
that simply use I/O adapters to perform similar functions. 

Display interface 140 is used to directly connect one or more 
displays 165 to computer system 100. Display 165 may be a simple display 
device, such as a monitor, or may be a fully programmable workstation, and 
is used to allow system administrators and users to communicate with 
computer system 100. 

Network interface 150 allows computer system 100 to send and receive 
data to and from any network the computer system may be connected to. This 
network may be a local area network (LAN), a wide area network (WAN) , or 
more specifically the Internet 170 (as shown in FIG. 3) . Many different 
network protocols can be used to implement a network. These protocols are 
specialized computer programs that allow computers to communicate across a 
network. TCP/IP (Transmission Control Protocol /Internet Protocol) , used to 
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network administrator of a local area network, a web site administrator, a 
contact person in a virus detection company, and appropriate law 
enforcement officials, such as local, state, federal, and international law 
enforcement agencies. 

Step 420 in PIQ. 4 determines whether a request requires virus 
checking. One suitable way to perform step 420 in accordance with the 
preferred embodiments is to provide a user list that specifies virus 
checking preferences for each user. One specific implementation of a user 
list 127 is shown in FIG. 5, and includes a user name and corresponding 
virus checking preferences 128 that are preferably set by the individual 
users, but could also be set according to system defaults or overrides. 
FIG. 5 shows that a hypothetical user that has the user name of georgel23 
has virus checking preferences which specify that all e-mails should be 
automatically checked for viruses, that all downloaded files should be 
automatically checked for viruses, that web sites may be checked upon 
explicit request of the user, and that Norton Antivirus is the virus 
checker to be used. Another hypothetical user has the user name of 
fred246, and has virus checking preferences 128 which specify that all 
e-mail should be automatically checked for viruses, that all downloaded 
files may be checked upon explicit request of the user, that virus checking 
on the user's web client may be performed upon explicit request of the 
user, and that Norton Antivirus is the virus checker to be used. 

The virus checking preferences 128 for a particular user may be setup 
by the web server sending a web page or other message to the user via the 
web client. One suitable example of a sample web page for setting up user 
virus checking preferences is shown as a display window 600 in FIG. 6. The 
user may click on radio buttons to determine whether e-mail, downloaded 
files, and web pages are never checked, checked by explicit request of the 
user, or always cheeked automatically for viruses before the web server 
delivers these items to the user via the web client. In addition, the user 
may sign up for e- mail notification that includes information on the 
latest viruses and reminders and strategies for virus protection and 
detection. A drop-down box 610 is provided to allow the user to specify 
which virus checker is used to perform the virus checks. FIG. 6 shows that 
the user has selected Norton Antivirus as the desired virus checking 
program. Note that the drop-down box may contain many different 
selections, including the names of many different virus checker 
applications, a -default- selection, and a selection that tells the web 
server to determine which virus checker is best for the particular type of 
information being checked. In addition, display window 600 allows the user 
to perform local virus checking on the web client computer system using a 
special client version of the selected virus checking program. When the 
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without limitation, its size in bytes, where the virus came from, when the 
virus was detected, the location of each detection, etc. Next, method 700 
notifies the appropriate authorities regarding the virus (step 738) . As 
stated above, the authorities notified can include any human being or 
computer that has a need to know about computer viruses. 

If no virus was found in the e-mail message body (step 724=NO) , but 
there is one or more attachments to the message (step 740=YES) , all 
attachments are checked for viruses (step 742) . If no virus is found (step 
744»NO) , the e-mail message and any attachments are sent to the recipient 
(step 714). If a virus is found (step 744»YBS) , the infected attachment or 
attachments are deleted (step 750), and the e-mail message without the 
infected attachment or attachments are sent to the intended recipient (step 
752). At this point method 700 e-mails the recipient regarding the deleted 
attachment (step 732), e-mails the sender a warning that a virus was 
detected in the e-mail message (step 734), enters appropriate information 
into the virus information database (step 736) , and notifies the 
appropriate authorities of the virus (step 738) . Method 700 thus succeeds 
in automatically detecting viruses in an e-mail message and its attachments 
when the user's virus checking preferences specify that e-mails are to be 
checked for viruses. If the virus checking preferences specify that e-mail 
messages are always verified for viruses, the answer to step 712 for that 
user is always YES, and the e-mail message and any attachments will 
automatically be checked each time an e-mail message is received. In an 
alternative, if the virus checking preferences specify that e-mail message 
may be verified upon request of the user, the answer to 712 is NO unless 
the user has explicitly asked to check a particular e-mail message for 
viruses, at which time the answer to step 712 becomes YES due to the user 
enabling the virus check by explicitly requesting that the check be 
performed. While method 700 applies to e-mail messages received by e- mail 
server application 124 that specify a registered user as the recipient 
(i.e., for incoming mail), the preferred embodiments also extend to virus 
checking of e-mail messages and their attachments that are sent by 
registered users to others (i.e., in outgoing mail). 

One suitable, method in accordance with the preferred embodiment for 
the file virus processing mechanism 136 in FIOS. 1 and 3 is illustrated as 
method 800 in PIG. 8. Method 800 begins when a client requests to download 
a file (step 810) . The file can be any suitable file, such as an 
application, a text file, an audio file, a video file, or any other file 
that is capable of being downloaded. The file is first downloaded to the 
web server (step 812), and method 800 then determines whether the virus 
checking of d$wnloaae$ files is enabled (step 814). If not (step 814=3*0) , 
the downloaded file is sent to the web client (step 816) . If virus 
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local viruses. Method 1000 begins when a user requests a virus check on 
the user's web client workstation (step 1010). In response, the web server 
downloads a client virus checker to the web client (step 1012) . The web 
server then causes the web client to execute the client virus checker (step 
1014) . The client virus checker then reports the existence of any viruses 
to the server (step 1016) . If no virus was found (step 1018=*NO) , a message 
reporting no viruses is sent from the web server to the web client (step 
1020). If a virus was found (step 1018»YBS) , T a message reporting the virus 
is sent to the client (step 1030), the virus information is entered into 
the virus information database (step 1040), and the appropriate authorities 
are notified of the virus (step 1050). Method 1000 thus allows a user to 
perform local virus checks using software downloaded from the web server, 
thereby eliminating the need for virus checking software to be installed on 
each web client, and offloading at the web server the burden of performing 
virus checking on the web clients. 

Another aspect of the present invention is the ability to inform the 
web server of a virus that the user may encounter, from either an external 
source, such as a disk drive or a CD-ROM drive, or a virus that was not 
detected by the web server. In this case the user may enter information 
regarding a virus into a virus feedback form. Display window 1100 in FIG. 
11 shows a display that may be presented to a user to input information 
regarding a virus. Display window 1100 prompts the user to indicate the 
source of the virus. The user may cancel the virus feedback operation by 
clicking on the cancel button 1120. For the example in FIG. 11, we assume 
the user discovered a virus in a downloaded file, and wants to inform the 
web server of the URL that was used to download the virus. The user thus 
clicks on the ""Downloaded File" radio button, and clicks on the continue 
button 1110. At this point another display window appears, prompting the 
user for other information relating to the virus. In this particular 
example, the next display screen would preferably allow the user to enter 
the URL from which the file with the virus was downloaded. If the e-mail 
radio button in display window 1100 were selected when the continue button 
1110 is clicked, one or more display windows would then follow that allow 
the user to enter the sender of the e-mail, and whether the virus was in 
the subject line, message body, attachment, etc. In short, each selection 
in display window 1100 will cause another display window to be displayed 
with the continue button 1110 is clicked. The preferred embodiments extend 
to any mechanism for a user to provide feedback about a virus to the web 
server . 

FIG. 12 illustrates a method 1200 for a web server computer system, 
such as computer system 100 in FIG. 1 and 300 in FIG. 3. A user is 
prompted for virus checking preferences (step 1220), which allow the user 
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the same sender that are similar (e.gr. , in size or attachment name) to the 
deleted message or attachment without explicitly performing virus checks on 
these similar messages. 

One skilled in the art will appreciate that many variations are 
possible within the scope of the present invention. Thus, while the 
invention has been particularly shown and described with reference to a 
preferred embodiment thereof, it will be understood by those skilled in the 
art that these and other changes in form and details may be made therein. 
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A server counter apparatus comprising: 
(a) a t least one processor; 

(b) 
(O 



i«d to the at least one processor; 
a memory coupled to tne a 

i. n the memory; and 

1C , a virus checker application residing 
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means responsive to the requested information comprising a file for 
checking whether the file contains a virus . 

6. The apparatus of any preceding claim, further comprising a virus 
information database, coupled to the at least one processor, for storing 
information regarding at least one virus, 

7. The apparatus of claim 6 wherein the information comprising at least 
one of an address of a web page which provides access to a virus, and an 
e-mail address of a sender that sent an e-mail message that contained a 
virus . 

8. The apparatus of any preceding claim, further comprising a user list 
residing in the memory, the user list for storing user virus checking 
preferences for at least one user in the user list. 

9. The apparatus of claim 8 wherein the web page checking means, the 
e-mail checking means, and the file virus checking means are each further 
responsive to user virus checking preferences. 

10. The apparatus of any preceding claim further comprising: 

a means to download a client version of a virus checker application 
to a web client which causes the client version of the virus checker 
application to be executed on the web client to check for viruses on the 
web client. 
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